Spring Boot LDAP Auth NameNotFoundException
Question
I'm trying to set up ldap authentication using spring boot. I've done this on another project a while back setting up the authorization through the tomcat context file. So I already have a working setup to reference, just not in spring boot format.
In my SecurityConfiguration I add
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.ldapAuthentication()
.userSearchBase("OU=users,DC=dom,DC=company,DC=com")
.userSearchFilter("(sAMAccountName={0})")
.contextSource()
.url("ldaps://ldap.company.com:424")
.managerDn("CN=managerUser,OU=services,DC=dom,DC=company,DC=com")
.managerPassword("password");
}
Now when the app starts, I go to a secure resource, enter basic auth credentials, I get the print out in the console window that looks like everything is going fine. It finds the user. Then it finishes with this error.
2018-03-06 17:40:22.632 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.w.a.www.BasicAuthenticationFilter : Basic Authentication Authorization header found for user 'user'
2018-03-06 17:40:22.632 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.ldap.authentication.Lda
pAuthenticationProvider
2018-03-06 17:40:22.632 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.l.a.LdapAuthenticationProvider : Processing authentication request for user: user
2018-03-06 17:40:22.632 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.l.s.FilterBasedLdapUserSearch : Searching for user 'user', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'DC=dom,DC=company,DC=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2018-03-06 17:40:22.671 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.ldap.SpringSecurityLdapTemplate : Searching for entry under DN '', base = 'DC=dom,DC=company,DC=com', filter = '(sAMAccountName={0})'
2018-03-06 17:40:22.690 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.ldap.SpringSecurityLdapTemplate : Found DN: CN=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
2018-03-06 17:40:22.694 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
2018-03-06 17:40:22.695 DEBUG 7308 --- [nio-8080-exec-5] s.s.l.DefaultSpringSecurityContextSource : Removing pooling flag for user cn=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
2018-03-06 17:40:22.717 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.l.a.BindAuthenticator : Retrieving attributes...
2018-03-06 17:40:22.719 DEBUG 7308 --- [nio-8080-exec-5] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
2018-03-06 17:40:22.720 DEBUG 7308 --- [nio-8080-exec-5] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user 'user', DN = 'cn=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com', with filter (uniqueMember={0}) in search base ''
2018-03-06 17:40:22.721 DEBUG 7308 --- [nio-8080-exec-5] o.s.s.ldap.SpringSecurityLdapTemplate : Using filter: (uniqueMember=cn=user\5c, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com)
2018-03-06 17:40:22.760 DEBUG 7308 --- [nio-8080-exec-5] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2018-03-06 17:40:22.762 DEBUG 7308 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-03-06 17:40:22.764 ERROR 7308 --- [nio-8080-exec-5] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; remaining name ''
I'm pretty stumped what its expecting from me. All the other questions I viewed with this error seemed like their queries were failing. But this one is clearly succeeding in finding the user before the error is generated.
Edit: I had them create me a test user with no comma in the name since that was a focus point for people. That doesn't seem to resolve the error.
2018-03-07 13:59:52.569 DEBUG 1384 --- [nio-8080-exec-9] o.s.s.ldap.SpringSecurityLdapTemplate : Found DN: CN=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com
2018-03-07 13:59:52.571 DEBUG 1384 --- [nio-8080-exec-9] o.s.s.l.a.BindAuthenticator : Attempting to bind as cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com
2018-03-07 13:59:52.572 DEBUG 1384 --- [nio-8080-exec-9] s.s.l.DefaultSpringSecurityContextSource : Removing pooling flag for user cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com
2018-03-07 13:59:52.588 DEBUG 1384 --- [nio-8080-exec-9] o.s.s.l.a.BindAuthenticator : Retrieving attributes...
2018-03-07 13:59:52.591 DEBUG 1384 --- [nio-8080-exec-9] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Getting authorities for user cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com
2018-03-07 13:59:52.591 DEBUG 1384 --- [nio-8080-exec-9] .s.s.l.u.DefaultLdapAuthoritiesPopulator : Searching for roles for user 'TESTER1', DN = 'cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com', with filter (uniqueMember={0}) in search base ''
2018-03-07 13:59:52.591 DEBUG 1384 --- [nio-8080-exec-9] o.s.s.ldap.SpringSecurityLdapTemplate : Using filter: (uniqueMember=cn=Test TESTER1,ou=AAA,ou=BBBB,ou=users,dc=dom,dc=company,dc=com)
2018-03-07 13:59:52.614 DEBUG 1384 --- [nio-8080-exec-9] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2018-03-07 13:59:52.615 DEBUG 1384 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2018-03-07 13:59:52.616 ERROR 1384 --- [nio-8080-exec-9] o.a.c.c.C.[.[.[/].[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100213, problem 2001 (NO_OBJECT), data 0, best match of:
''
]; remaining name ''
1 answers
solution1
0 2018-03-07 16:08:08
It looks as though it is trying to read group memberships for your user, but somehow the user's DN is garbled:
Found DN: CN=user\, lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com
and then the search for memberships is done using:
Using filter: (uniqueMember=cn=user\,lname.,OU=AAA,OU=BBBB,OU=users,DC=dom,DC=company,DC=com)
It is stripping the space from the user's CN, hence Active Directory is telling you 2001 (NO_OBJECT) - and rightly so. Seems like a bug in the LDAP handler somewhere.
EDIT
Looking at https://github.com/spring-projects/spring-security/blob/master/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java it would seem that the following code snippet from searchForMultipleAttributeValues() is reformatting your user DN:
for (int i = 0; i < params.length; i++) {
encodedParams[i] = LdapEncoder.filterEncode(params[i].toString());
}
String formattedFilter = MessageFormat.format(filter, encodedParams);
logger.debug("Using filter: " + formattedFilter);
So it is either the LdapEncoder.filterEncode() call or the call to MessageFormat.format() . Definitely a bug in Spring LDAP.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.